How to Choose HIPAA-Compliant Cloud Services for Healthcare

December 13, 2016

10549

Last quarter, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a guidance on HIPAA and cloud computing. The guidance confirms that cloud service providers (CSPs) that create, receive, maintain, or transmit protected health information (PHI) are business associates under HIPAA and therefore their services must comply with HIPAA requirements.

The guidance also points out that covered entities and their CSPs need to have a properly executed business associate contract or agreement (BAA) in place to avoid possible cloud computing legal issues in the future. Case in point: In July 2016, a health and science university in Oregon entered into a settlement with the OCR amounting to $2.7 million in total violations. One of these violations includes the storage of the PHI of more than 3,000 individuals on a cloud-based server without a business associate agreement.

Below is a summary of other key concerns for choosing HIPAA-compliant cloud services for healthcare:

Can HIPAA data be stored outside the USA?
A HIPAA-covered entity or business associate can use a CSP that stores PHI on servers outside of the United States. The guidance reiterates that covered entities must still enter into a BAA with the CSP and should comply with the applicable requirements of the HIPAA rules. Moreover, the OCR notes that in these cases, covered entities need to be aware that data security and privacy risks may vary greatly depending on the geographic location of the PHI, and should employ the necessary preventive measures in their respective security analyses when choosing CSPs. For example, in countries where ransomware attacks are common, covered entities should focus on what technical safeguards to put in place so that if a malware gets into the system, the damage can be contained. Read the Ransomware and HIPAA Fact Sheet for more information.

How important is reporting of security incidents?
If a CSP experiences a security incident, it must report the incident to the covered entity or business associate. As many know, HIPAA requires business associates to identify and respond to attempted or successful security incidents. Reporting a security incident is bad enough given the costs and administrative tasks involved, but even more worrisome are the consequences for failing to do otherwise. If discovered, such failure would likely constitute willful neglect, mandatory penalties, and civil lawsuits, thereby subjecting the covered entity or CSP to penalties that could go up to $250,000 fine and ten years in prison.

Can HIPAA data be accessed via mobile phones?
Healthcare providers or business associates are allowed to use mobile devices to access PHI stored in the cloud. This is deemed acceptable as long as appropriate physical, administrative, and technical safeguards are in place. Among other guidelines to protect the confidentiality, integrity, and availability of PHI, the OCR issued guidance on the use of mobile devices and tips for securing PHI on mobile devices for further reference.

Is a BAA required if a CSP does not have decryption key to encrypted data?
A CSP that stores only encrypted PHI and does not have a decryption key is still considered a HIPAA business associate. Therefore, under the HIPAA rules, a CSP is not exempt from business associate status, even if it lacks a decryption key, since the CSP still receives and maintains PHI for a covered entity or another business associate. The guidance also notes that even though encryption may provide “safe harbor” from breach notification obligations, CSPs must not rely solely on encryption to fulfill their responsibilities. For instance, encryption alone does not address how the CSP will maintain the integrity of the PHI from malware attacks, neither does it ensure the availability of PHI in case of a catastrophe. In this case, the OCR suggests CSPs to have administrative safeguards to analyze risks to the PHI, as well as physical safeguards for systems and servers that may house the PHI.

With a BAA in place, is a SLA still required?
Yes, and the terms of the SLA should be consistent with the BAA and the HIPAA Rules. Taking the guidance into account, the OCR points out that a Service Level Agreement can be used to address more specific business expectations between covered entities and CSPs as they relate to HIPAA concerns, such as:

1. System availability and reliability
2. Back-up and data recovery
3. How the PHI will be returned or destroyed after ending the service
4. Responsibility for specific security controls (e.g. user authentication and authorization to PHI)
5. Limitations on use, disclosure, and retention of the PHI

Ensuring HIPAA best practices
Healthcare providers and professionals are well-aware that protecting patients’ health information is an essential component in building patient trust. Therefore, covered entities and business associates who are looking to use cloud computing solutions should conduct their own thorough analysis to ensure that their CSPs are capable of protecting PHI in a manner that conforms with HIPAA rules and regulations.

Caspio’s HIPAA-Compliant Edition provides all the required HIPAA safeguards to help you build healthcare-related cloud applications while protecting the confidentiality, integrity, and availability of PHI. All PHI are encrypted both at rest and in transit, access to data is logged and archived according to HIPAA requirements, and Caspio maintains BAAs with its vendors and offers BAAs to its customers.

How Caspio is used by the healthcare industry
As an open platform for creating custom business applications, Caspio is used to create variety of data management applications. For healthcare, some examples include: